How to extend Dataverse and Power Pages using the Portals Web API, integrate third-party content, and ensure security and access control.
Introduction to the Portals Web API
The Portals Web API is a key component of the Power Pages architecture. It allows interaction with Microsoft Dataverse data directly from public pages or external applications. Built as an extension of the Dataverse Web API, this interface enables CRUD (Create, Read, Update, Delete) operations through secure endpoints, enabling a wide range of integration scenarios.
The Power Pages technology, an evolution of Power Apps Portals, is based on a shared Microsoft Azure infrastructure. A dedicated Azure subscription is not required since all runtime operations are hosted and managed as a service. This approach simplifies deployment and guarantees multi-layer security, data isolation, and automatic scalability.
The content of each portal is configured and customized within the Dataverse database. Entities, web pages, content snippets, and templates are managed via dedicated tables, while advanced extensions can be implemented using Liquid templates or JavaScript scripts.
Architecture and Main Components
The Power Pages Web API is built upon five fundamental pillars:
Azure Runtime Environment: The Azure-based execution environment that ensures secure hosting and automatic scalability of portals.
Dataverse Configuration: Stores the structure, business rules, and metadata of the portal.
Portals Web API: REST interface for performing actions on Dataverse without creating complex server-side connections.
Authentication and Security: Access management through Azure AD, Microsoft, Google, LinkedIn, and other providers.
Each portal can be configured for public or authenticated access. Through the Web API, developers can build backend logic that interacts with business data while maintaining security via authentication tokens and Dataverse role-based permissions.
Embedding and Third-Party Content Integration
Embedding allows external or Dataverse content to be integrated into portals, applications, or websites. The most common use cases include publishing forms, views, or reports directly on external pages. This is achieved through addressable resources that enable the display of preconfigured forms or dashboards.
For example, a Dataverse form can be embedded in an external site using an HTML frame with context parameters such as:
These parameters pass information such as record ID, table type, and user language to the embedded content. You can also limit cross-frame scripting by enabling the Restrict cross-frame scripting option to prevent XSS attacks or unauthorized browser plugin usage.
The embedding process is bidirectional: Dataverse content can be embedded in external portals, or third-party applications (such as Power BI reports or Azure widgets) can be included within Power Pages. This flexibility enables hybrid integration scenarios between internal and public systems.
Frontend Extensibility with Liquid and JavaScript
Power Pages supports advanced client-side extensibility through the combination of Liquid, HTML, CSS, and JavaScript. Developers can access Dataverse data, create dynamic layouts, and customize user experiences based on context.
For example, you can use Liquid to generate conditional content:
{% if user %}
<p>Welcome, {{ user.fullname }}!</p>
{% else %}
<p>Please sign in to view your data.</p>
{% endif %}
Combining this with the Portals Web API, a portal can retrieve and update Dataverse information in real time using AJAX or Fetch API calls. This model ensures smooth, interactive experiences typical of modern applications.
Security and Authentication
Power Pages supports multiple integrated authentication methods. Users can log in with local credentials stored in the Dataverse Contact table or authenticate using external providers such as Azure AD, Azure AD B2C, Google, Facebook, or Microsoft Identity.
Multiple providers can be configured simultaneously to offer users more flexibility. You can also define IP-based access rules to restrict portal availability to specific regions. Security roles and Web Page Access Control Rules define which users or groups can access specific content.
The Portals Web API inherits these rules, ensuring that each operation executes in the context of an authenticated user and according to Dataverse-defined privileges. OAuth 2.0 authentication is recommended for all external integrations to ensure compliance with corporate and privacy regulations.
Best Practices for Extensibility
Use APIs only for necessary operations, minimizing access permissions.
Implement server-side validation for all data received via the Portals Web API.
Protect public endpoints with HTTPS and security tokens.
Upload scripts and assets as web resources in Dataverse for better control and versioning.
Test integrations in sandbox environments before production deployment.
Following these guidelines ensures a secure, performant, and maintainable portal aligned with Microsoft’s best practices.
Interaction Diagram
Communication flow between Power Pages, Portals Web API, and Dataverse.
Frequently Asked Questions
What is the Portals Web API?
It is a REST interface that allows interaction with Dataverse data within Power Pages portals, enabling secure and controlled CRUD operations.
Can I integrate external content into a portal?
Yes, Power Pages allows embedding third-party applications or content via iFrame or Liquid while maintaining context and security control.
How can I secure API calls?
Use OAuth 2.0 authentication, HTTPS, and role-based Dataverse access rules. Avoid exposing unprotected public endpoints.
Learn how to build integrated and secure solutions with Power Pages, Dataverse, and Azure. Check Microsoft’s official guidelines for designing scalable and high-performance portals.
